What does it mean to use a common language when threat hunting?
Threat hunting sometimes feels like an ineffective, endless activity where the common practice is to search for threats based on hunches and previous knowledge— leaving an open opportunity for elusive attackers.
A recent white paper by Matt Bromiley, a SANS digital forensics and incident response instructor, presents a new way of thinking about threat hunting, one that uses the MITRE ATT&CK Matrix as a vocabulary, not as a marketing tool. Identifying threat actor objectives, techniques, and tactics enables you to hunt for threats in the context of how attackers achieve their objective rather than as a single activity. When you “speak ATT&CK,” your team will find a common vocabulary to describe the desired result of a hunt and approach your environment in a new way.
One common mistake seen in organizations during threat hunts is keeping the organization separate at the artifact level. Threat actors don’t attack environments in a gradual fashion, so good threat hunting should include all parts of the organization that could be impacted by activity. Threat hunters should move beyond thinking about how something is being abused. Instead, think about the what, where and how by utilizing a common vocabulary to help define and shed light on a particular hunting activity.
Use threat hunting to accumulate visibility and insight into your environment. Think of threat hunting in terms of the new vocabulary to launch hunts that look for attack behaviors like lateral movement and exfiltration. A common threat-hunting vocabulary will help you identify visibility gaps and drive security-posture decisions.
The MITRE ATT&CK Matrix can be used to effectively address categories and techniques and how they are being used by attackers thus allowing your team to speak more succinctly about threat hunting. Categories such as Credential Access and Defense Evasion can serve as high-level “starter” words for how you want to begin thinking about threats and approach threat hunting as you go from a high-level and work through the various steps.
A useful takeaway from the MITRE ATT&CK Matrix is the ability to combine various techniques to represent the activities of a specific group. This can help determine where you could and couldn’t detect a threat actor. It can also be used in your hunts to detect the presence of a threat group. You can then bridge these techniques across multiple threat groups while achieving coverage and insight across the entire spectrum simultaneously.
Start thinking about threat hunting by using terms from the MITRE ATT&CK Matrix to frame the context and guide what you can and cannot see within your environment.
To learn more about the MITRE ATT&CK Matrix, check out the white paper as well as the webcast.